diff --git a/.github/styles/base/Dictionary.txt b/.github/styles/base/Dictionary.txt index cf8b6d0564..052daf1992 100644 --- a/.github/styles/base/Dictionary.txt +++ b/.github/styles/base/Dictionary.txt @@ -935,6 +935,7 @@ Valero Valero validator validators +Valkey vararg vc viewport diff --git a/app/_includes/plugins/redis-cloud-auth.md b/app/_includes/plugins/redis-cloud-auth.md new file mode 100644 index 0000000000..710e735542 --- /dev/null +++ b/app/_includes/plugins/redis-cloud-auth.md @@ -0,0 +1,224 @@ +## Using cloud authentication with Redis {% new_in 3.13 %} + +Starting in {{site.base_gateway}} 3.13, you can authenticate with a cloud Redis provider for your Redis strategy. This allows you to seamlessly rotate credentials without relying on static passwords. + +The following providers are supported: +* AWS ElastiCache +* Azure Managed Redis +* Google Cloud Memorystore (with or without Valkey) + +Each provider also supports an instance and cluster configuration. + +{:.warning} +> **Important:** {{site.base_gateway}} open source plugins do not support any Redis cloud provider cluster configurations. + +To configure cloud authentication with Redis, add the following parameters to your plugin configuration: + +{% navtabs "providers" %} +{% navtab "AWS instance" %} + +You need: +* A running Redis instance on an [AWS ElastiCache instance](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later +* The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup) +* The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache: + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticache:Connect" + ], + "Resource": [ + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE", + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER" + ] + } + ] + } + ``` + +```yaml +config: + storage: redis + storage_config: + redis: + host: $INSTANCE_ADDRESS + username: $INSTANCE_USERNAME + port: 6379 + cloud_authentication: + auth_provider: aws + aws_cache_name: $AWS_CACHE_NAME + aws_is_serverless: false + aws_region: $AWS_REGION + aws_access_key_id: $AWS_ACCESS_KEY_ID + aws_secret_access_key: $AWS_ACCESS_SECRET_KEY +``` + +Replace the following with your actual values: +* `$INSTANCE_ADDRESS`: The ElastiCache instance address. +* `$INSTANCE_USERNAME`: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup). +* `$AWS_CACHE_NAME`: Name of your AWS ElastiCache instance. +* `$AWS_REGION`: Your AWS ElastiCache instance region. +* `$AWS_ACCESS_KEY_ID`: (Optional) Your AWS access key ID. +* `$AWS_ACCESS_SECRET_KEY`: (Optional) Your AWS secret access key. +{% endnavtab %} +{% navtab "AWS cluster" %} + +You need: +* A running Redis instance on an [AWS ElastiCache cluster](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later +* The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup) +* The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache: + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticache:Connect" + ], + "Resource": [ + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE", + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER" + ] + } + ] + } + ``` + +```yaml +config: + storage: redis + storage_config: + redis: + cluster_nodes: + - ip: $CLUSTER_ADDRESS + port: 6379 + username: $CLUSTER_USERNAME + port: 6379 + cloud_authentication: + auth_provider: aws + aws_cache_name: $AWS_CACHE_NAME + aws_is_serverless: false + aws_region: $AWS_REGION + aws_access_key_id: $AWS_ACCESS_KEY_ID + aws_secret_access_key: $AWS_ACCESS_SECRET_KEY +``` + +Replace the following with your actual values: +* `$CLUSTER_ADDRESS`: The ElastiCache cluster address. +* `$CLUSTER_USERNAME`: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup). +* `$AWS_CACHE_NAME`: Name of your AWS ElastiCache cluster. +* `$AWS_REGION`: Your AWS ElastiCache cluster region. +* `$AWS_ACCESS_KEY_ID`: (Optional) Your AWS access key ID. +* `$AWS_ACCESS_SECRET_KEY`: (Optional) Your AWS secret access key. +{% endnavtab %} +{% navtab "Azure instance" %} + +You need: +* A running Redis instance on an [Azure Managed Redis instance](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured +* Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance + +```yaml +config: + storage: redis + storage_config: + redis: + host: $INSTANCE_ADDRESS + username: $INSTANCE_USERNAME + port: 6379 + cloud_authentication: + auth_provider: azure + azure_client_id: $AZURE_CLIENT_ID + azure_client_secret: $AZURE_CLIENT_SECRET + azure_tenant_id: $AZURE_TENANT_ID +``` +Replace the following with your actual values: +* `$INSTANCE_ADDRESS`: The Azure Managed Redis instance address. +* `$INSTANCE_USERNAME`: The object (principal) ID of the Principal/Identity with essential access. +* `$AZURE_CLIENT_ID`: The client ID of the Principal/Identity. +* `$AZURE_CLIENT_SECRET`: (Optional) The client secret of the Principal/Identity. +* `$AZURE_TENANT_ID`: (Optional) The tenant ID of the Principal/Identity. + +{% endnavtab %} +{% navtab "Azure cluster" %} + +You need: +* A running Redis instance on an [Azure Managed Redis cluster](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured +* Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance + +```yaml +config: + storage: redis + storage_config: + redis: + cluster_nodes: + - ip: $CLUSTER_ADDRESS + port: 6379 + username: $CLUSTER_USERNAME + port: 6379 + cloud_authentication: + auth_provider: azure + azure_client_id: $AZURE_CLIENT_ID + azure_client_secret: $AZURE_CLIENT_SECRET + azure_tenant_id: $AZURE_TENANT_ID +``` +Replace the following with your actual values: +* `$CLUSTER_ADDRESS`: The Azure Managed Redis cluster address. +* `$CLUSTER_USERNAME`: The object (principal) ID of the Principal/Identity with essential access. +* `$AZURE_CLIENT_ID`: The client ID of the Principal/Identity. +* `$AZURE_CLIENT_SECRET`: (Optional) The client secret of the Principal/Identity. +* `$AZURE_TENANT_ID`: (Optional) The tenant ID of the Principal/Identity. + +{% endnavtab %} +{% navtab "GCP instance" %} + +You need: +* A running Redis instance on an [Google Cloud Memorystore instance](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth) +* Assign the principal to the corresponding role: + * [Cloud Memorystore Redis DB Connection User(`roles/redis.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/cluster/about-iam-auth) for Memorystore for Redis Cluster + * [Memorystore DB Connector User (`roles/memorystore.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/valkey/about-iam-auth) for Memorystore for Valkey + +```yaml +config: + storage: redis + storage_config: + redis: + host: $INSTANCE_ADDRESS + port: 6379 + cloud_authentication: + auth_provider: gcp + gcp_service_account_json: $GCP_SERVICE_ACCOUNT +``` +Replace the following with your actual values: +* `$INSTANCE_ADDRESS`: The Memorystore instance address. +* `$GCP_SERVICE_ACCOUNT`: (Optional) The GCP service account JSON. +{% endnavtab %} +{% navtab "GCP cluster" %} + +You need: +* A running Redis instance on an [Google Cloud Memorystore cluster](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth) +* Assign the principal to the corresponding role: + * [Cloud Memorystore Redis DB Connection User(`roles/redis.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/cluster/about-iam-auth) for Memorystore for Redis Cluster + * [Memorystore DB Connector User (`roles/memorystore.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/valkey/about-iam-auth) for Memorystore for Valkey + +```yaml +config: + storage: redis + storage_config: + redis: + cluster_nodes: + - ip: $CLUSTER_ADDRESS + port: 6379 + port: 6379 + cloud_authentication: + auth_provider: gcp + gcp_service_account_json: $GCP_SERVICE_ACCOUNT +``` +Replace the following with your actual values: +* `$CLUSTER_ADDRESS`: The Memorystore cluster address. +* `$GCP_SERVICE_ACCOUNT`: The GCP service account JSON. +{% endnavtab %} +{% endnavtabs %} \ No newline at end of file diff --git a/app/_kong_plugins/acme/examples/redis-aws-instance.yaml b/app/_kong_plugins/acme/examples/redis-aws-instance.yaml new file mode 100644 index 0000000000..a3e4eada8c --- /dev/null +++ b/app/_kong_plugins/acme/examples/redis-aws-instance.yaml @@ -0,0 +1,91 @@ +title: ACME with Redis storage and AWS ElastiCache instance auth +description: | + Configure the ACME plugin with Redis as a storage backend using AWS ElastiCache instance auth + +weight: 860 + +requirements: +- A public IP and a resolvable DNS +- '{{site.base_gateway}} accepts proxy traffic on port 80' +- A running Redis instance on an [AWS ElastiCache instance](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later +- The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup) +- | + The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache: + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticache:Connect" + ], + "Resource": [ + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE", + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER" + ] + } + ] + } + ``` + +config: + account_email: ${email} + account_key: + key_id: ${key_id} + key_set: ${key_set} + domains: + - ${domain} + tos_accepted: true + storage: redis + storage_config: + redis: + host: ${instance_address} + username: ${instance_username} + port: 6379 + cloud_authentication: + auth_provider: aws + aws_cache_name: ${aws_cache} + aws_is_serverless: false + aws_region: ${aws_region} + aws_access_key_id: ${aws_key_id} + aws_secret_access_key: ${aws_secret_key} + +variables: + email: + value: $EMAIL + description: The account identifier. + key_id: + value: $KEY_ID + description: The kid of a [Key](/gateway/entities/key/). + key_set: + value: $KEY_SET + description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with. + domain: + value: $DOMAIN + description: An array of strings representing hosts. + instance_address: + value: $INSTANCE_ADDRESS + description: The ElastiCache instance address. + instance_username: + value: $INSTANCE_USERNAME + description: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup). + aws_cache: + value: $AWS_CACHE_NAME + description: Name of your AWS ElastiCache instance. + aws_region: + value: $AWS_REGION + description: Your AWS ElastiCache instance region. + aws_key_id: + value: $AWS_ACCESS_KEY_ID + description: (Optional) Your AWS access key ID. + aws_secret_key: + value: $AWS_ACCESS_SECRET_KEY + description: (Optional) Your AWS secret access key. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform \ No newline at end of file diff --git a/app/_kong_plugins/acme/examples/redis-azure-instance.yaml b/app/_kong_plugins/acme/examples/redis-azure-instance.yaml new file mode 100644 index 0000000000..66a49f842d --- /dev/null +++ b/app/_kong_plugins/acme/examples/redis-azure-instance.yaml @@ -0,0 +1,67 @@ +title: ACME with Redis storage and Azure Managed Redis instance auth +description: | + Configure the ACME plugin with Redis as a storage backend using Azure Managed Redis instance auth + +weight: 860 + +requirements: +- A public IP and a resolvable DNS +- '{{site.base_gateway}} accepts proxy traffic on port 80' +- A running Redis instance on an [Azure Managed Redis instance](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured +- Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance + +config: + account_email: ${email} + account_key: + key_id: ${key_id} + key_set: ${key_set} + domains: + - ${domain} + tos_accepted: true + storage: redis + storage_config: + redis: + host: ${instance_address} + username: ${instance_username} + port: 6379 + cloud_authentication: + auth_provider: azure + azure_client_id: ${azure_client_id} + azure_client_secret: ${azure_client_secret} + azure_tenant_id: ${azure_tenant_id} + +variables: + email: + value: $EMAIL + description: The account identifier. + key_id: + value: $KEY_ID + description: The kid of a [Key](/gateway/entities/key/). + key_set: + value: $KEY_SET + description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with. + domain: + value: $DOMAIN + description: An array of strings representing hosts. + instance_address: + value: $INSTANCE_ADDRESS + description: The Azure Managed Redis instance address. + instance_username: + value: $INSTANCE_USERNAME + description: The object (principal) ID of the Principal/Identity with essential access. + azure_client_id: + value: $AZURE_CLIENT_ID + description: The client ID of the Principal/Identity. + azure_client_secret: + value: $AZURE_CLIENT_SECRET + description: (Optional) The client secret of the Principal/Identity. + azure_tenant_id: + value: $AZURE_TENANT_ID + description: (Optional) The tenant ID of the Principal/Identity. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform \ No newline at end of file diff --git a/app/_kong_plugins/acme/examples/redis-gcp-instance.yaml b/app/_kong_plugins/acme/examples/redis-gcp-instance.yaml new file mode 100644 index 0000000000..e78b5a5271 --- /dev/null +++ b/app/_kong_plugins/acme/examples/redis-gcp-instance.yaml @@ -0,0 +1,58 @@ +title: ACME with Redis storage and Google Cloud Memorystore instance auth +description: | + Configure the ACME plugin with Redis as a storage backend using Google Cloud Memorystore instance auth + +weight: 860 + +requirements: +- A public IP and a resolvable DNS +- '{{site.base_gateway}} accepts proxy traffic on port 80' +- A running Redis instance on an [Google Cloud Memorystore instance](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth) +- | + Assign the principal to the corresponding role: + * [Cloud Memorystore Redis DB Connection User(`roles/redis.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/cluster/about-iam-auth) for Memorystore for Redis Cluster + * [Memorystore DB Connector User (`roles/memorystore.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/valkey/about-iam-auth) for Memorystore for Valkey + +config: + account_email: ${email} + account_key: + key_id: ${key_id} + key_set: ${key_set} + domains: + - ${domain} + tos_accepted: true + storage: redis + storage_config: + redis: + host: ${instance_address} + port: 6379 + cloud_authentication: + auth_provider: gcp + gcp_service_account_json: ${service_account} + +variables: + email: + value: $EMAIL + description: The account identifier. + key_id: + value: $KEY_ID + description: The kid of a [Key](/gateway/entities/key/). + key_set: + value: $KEY_SET + description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with. + domain: + value: $DOMAIN + description: An array of strings representing hosts. + instance_address: + value: $INSTANCE_ADDRESS + description: The Memorystore instance address. + service_account: + value: $GCP_SERVICE_ACCOUNT + description: The GCP service account JSON. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform \ No newline at end of file diff --git a/app/_kong_plugins/acme/index.md b/app/_kong_plugins/acme/index.md index c22342b97c..596c0ff459 100644 --- a/app/_kong_plugins/acme/index.md +++ b/app/_kong_plugins/acme/index.md @@ -221,3 +221,6 @@ You can see what certificates {{site.base_gateway}} is currently is aware of usi The ACME plugin supports external account binding (EAB) with the [`config.eab_kid`](/plugins/acme/reference/#schema--config-eab-kid) and [`config.eab_hmac_key`](/plugins/acme/reference/#schema--config-eab-hmac-key) values. If you're using [ZeroSSL](https://zerossl.com/), the provider's external account can be registered automatically, without specifying the KID or HMAC key. + + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/ai-proxy-advanced/index.md b/app/_kong_plugins/ai-proxy-advanced/index.md index 8c7b5d1dbc..2b685a7980 100644 --- a/app/_kong_plugins/ai-proxy-advanced/index.md +++ b/app/_kong_plugins/ai-proxy-advanced/index.md @@ -230,3 +230,5 @@ For example, load balancers with the following target combinations are supported ## Vector databases {% include_cached /plugins/ai-vector-db.md name=page.name %} + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/ai-rag-injector/index.md b/app/_kong_plugins/ai-rag-injector/index.md index 1cc903e2cb..6ade384f9e 100644 --- a/app/_kong_plugins/ai-rag-injector/index.md +++ b/app/_kong_plugins/ai-rag-injector/index.md @@ -488,4 +488,5 @@ Use the [Admin API](/plugins/ai-rag-injector/api/) to ingest content with metada ```bash POST /ai-rag-injector/{pluginID}/lookup_chunks {"prompt": "...", "collection": "finance-reports", "filters": {...}} - ``` \ No newline at end of file + ``` +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-aws-cluster.yaml b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-aws-cluster.yaml new file mode 100644 index 0000000000..ba6e3a039a --- /dev/null +++ b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-aws-cluster.yaml @@ -0,0 +1,94 @@ +description: Rate limit requests based on a custom token with AWS ElastiCache cluster auth +extended_description: | + Protect your LLM services with rate limiting and AWS ElastiCache cluster auth. + The AI Rate Limiting Advanced plugin will analyze query costs and token response + to provide an enterprise-grade rate limiting strategy. + + The following example uses request prompt rate limiting, which lets you you rate limit requests based on a custom token. See the [how-to guide](/how-to/use-custom-function-for-ai-rate-limiting/) for a step-by-step walkthrough. + +title: 'Request prompt function with AWS ElastiCache cluster auth' + +requirements: + - "[AI Proxy plugin](/plugins/ai-proxy/) or [AI Proxy Advanced plugin](/plugins/ai-proxy-advanced/) configured with an LLM service" + - A running Redis instance on an [AWS ElastiCache cluster](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later + - "Port `6379`, or your custom Redis port is open and reachable from {{site.base_gateway}}." + - The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup) + - | + The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache: + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticache:Connect" + ], + "Resource": [ + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE", + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER" + ] + } + ] + } + ``` + +weight: 900 + +config: + strategy: redis + redis: + cluster_nodes: + - ip: ${cluster_address} + port: 6379 + username: ${cluster_username} + port: 6379 + cloud_authentication: + auth_provider: aws + aws_cache_name: ${aws_cache} + aws_is_serverless: false + aws_region: ${aws_region} + aws_access_key_id: ${aws_key_id} + aws_secret_access_key: ${aws_secret_key} + sync_rate: 0 + llm_providers: + - name: cohere + limit: + - 100 + - 1000 + window_size: + - 60 + - 3600 + request_prompt_count_function: | + local header_count = tonumber(kong.request.get_header("x-prompt-count")) + if header_count then + return header_count + end + return 0 + +variables: + cluster_address: + value: $CLUSTER_ADDRESS + description: The ElastiCache cluster address. + cluster_username: + value: $CLUSTER_USERNAME + description: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup). + aws_cache: + value: $AWS_CACHE_NAME + description: Name of your AWS ElastiCache instance. + aws_region: + value: $AWS_REGION + description: Your AWS ElastiCache instance region. + aws_key_id: + value: $AWS_ACCESS_KEY_ID + description: (Optional) Your AWS access key ID. + aws_secret_key: + value: $AWS_ACCESS_SECRET_KEY + description: (Optional) Your AWS secret access key. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-aws-instance.yaml b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-aws-instance.yaml new file mode 100644 index 0000000000..07a87d28dc --- /dev/null +++ b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-aws-instance.yaml @@ -0,0 +1,92 @@ +description: Rate limit requests based on a custom token with AWS ElastiCache instance auth +extended_description: | + Protect your LLM services with rate limiting and AWS ElastiCache instance auth. + The AI Rate Limiting Advanced plugin will analyze query costs and token response + to provide an enterprise-grade rate limiting strategy. + + The following example uses request prompt rate limiting, which lets you you rate limit requests based on a custom token. See the [how-to guide](/how-to/use-custom-function-for-ai-rate-limiting/) for a step-by-step walkthrough. + +title: 'Request prompt function with AWS ElastiCache instance auth' + +requirements: + - "[AI Proxy plugin](/plugins/ai-proxy/) or [AI Proxy Advanced plugin](/plugins/ai-proxy-advanced/) configured with an LLM service" + - A running Redis instance on an [AWS ElastiCache instance](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later + - "Port `6379`, or your custom Redis port is open and reachable from {{site.base_gateway}}." + - The [ElastiCache user needs to set "Authentication mode" to "IAM"](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup) + - | + The following policy assigned to the IAM user/IAM role that is used to connect to the ElastiCache: + ```json + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticache:Connect" + ], + "Resource": [ + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE", + "arn:aws:elasticache:ARN_OF_THE_ELASTICACHE_USER" + ] + } + ] + } + ``` + +weight: 900 + +config: + strategy: redis + redis: + host: ${instance_address} + username: ${instance_username} + port: 6379 + cloud_authentication: + auth_provider: aws + aws_cache_name: ${aws_cache} + aws_is_serverless: false + aws_region: ${aws_region} + aws_access_key_id: ${aws_key_id} + aws_secret_access_key: ${aws_secret_key} + sync_rate: 0 + llm_providers: + - name: cohere + limit: + - 100 + - 1000 + window_size: + - 60 + - 3600 + request_prompt_count_function: | + local header_count = tonumber(kong.request.get_header("x-prompt-count")) + if header_count then + return header_count + end + return 0 + +variables: + instance_address: + value: $INSTANCE_ADDRESS + description: The ElastiCache instance address. + instance_username: + value: $INSTANCE_USERNAME + description: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup). + aws_cache: + value: $AWS_CACHE_NAME + description: Name of your AWS ElastiCache instance. + aws_region: + value: $AWS_REGION + description: Your AWS ElastiCache instance region. + aws_key_id: + value: $AWS_ACCESS_KEY_ID + description: (Optional) Your AWS access key ID. + aws_secret_key: + value: $AWS_ACCESS_SECRET_KEY + description: (Optional) Your AWS secret access key. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-azure-cluster.yaml b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-azure-cluster.yaml new file mode 100644 index 0000000000..f4bdd6d549 --- /dev/null +++ b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-azure-cluster.yaml @@ -0,0 +1,70 @@ +description: Rate limit requests based on a custom token with Azure Managed Redis cluster auth +extended_description: | + Protect your LLM services with rate limiting and Azure Managed Redis cluster auth. + The AI Rate Limiting Advanced plugin will analyze query costs and token response + to provide an enterprise-grade rate limiting strategy. + + The following example uses request prompt rate limiting, which lets you you rate limit requests based on a custom token. See the [how-to guide](/how-to/use-custom-function-for-ai-rate-limiting/) for a step-by-step walkthrough. + +title: 'Request prompt function with Azure Managed Redis cluster auth' + +requirements: + - "[AI Proxy plugin](/plugins/ai-proxy/) or [AI Proxy Advanced plugin](/plugins/ai-proxy-advanced/) configured with an LLM service" + - A running Redis instance on an [Azure Managed Redis cluster](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured + - "Port `6379`, or your custom Redis port is open and reachable from {{site.base_gateway}}." + - Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance + +weight: 900 + +config: + strategy: redis + redis: + cluster_nodes: + - ip: ${cluster_address} + port: 6379 + username: ${cluster_username} + port: 6379 + cloud_authentication: + auth_provider: azure + azure_client_id: ${azure_client_id} + azure_client_secret: ${azure_client_secret} + azure_tenant_id: ${azure_tenant_id} + sync_rate: 0 + llm_providers: + - name: cohere + limit: + - 100 + - 1000 + window_size: + - 60 + - 3600 + request_prompt_count_function: | + local header_count = tonumber(kong.request.get_header("x-prompt-count")) + if header_count then + return header_count + end + return 0 + +variables: + cluster_address: + value: $CLUSTER_ADDRESS + description: The Azure Managed Redis cluster address. + cluster_username: + value: $CLUSTER_USERNAME + description: The object (principal) ID of the Principal/Identity with essential access. + azure_client_id: + value: $AZURE_CLIENT_ID + description: The client ID of the Principal/Identity. + azure_client_secret: + value: $AZURE_CLIENT_SECRET + description: (Optional) The client secret of the Principal/Identity. + azure_tenant_id: + value: $AZURE_TENANT_ID + description: (Optional) The tenant ID of the Principal/Identity. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-azure-instance.yaml b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-azure-instance.yaml new file mode 100644 index 0000000000..9aa9b43bc2 --- /dev/null +++ b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-azure-instance.yaml @@ -0,0 +1,68 @@ +description: Rate limit requests based on a custom token with Azure Managed Redis instance auth +extended_description: | + Protect your LLM services with rate limiting and Azure Managed Redis instance auth. + The AI Rate Limiting Advanced plugin will analyze query costs and token response + to provide an enterprise-grade rate limiting strategy. + + The following example uses request prompt rate limiting, which lets you you rate limit requests based on a custom token. See the [how-to guide](/how-to/use-custom-function-for-ai-rate-limiting/) for a step-by-step walkthrough. + +title: 'Request prompt function with Azure Managed Redis instance auth' + +requirements: + - "[AI Proxy plugin](/plugins/ai-proxy/) or [AI Proxy Advanced plugin](/plugins/ai-proxy-advanced/) configured with an LLM service" + - A running Redis instance on an [Azure Managed Redis instance](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured + - "Port `6379`, or your custom Redis port is open and reachable from {{site.base_gateway}}." + - Add the [user/service principal/identity to the "Microsoft Entra Authentication Redis user" list](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication#add-users-or-system-principal-to-your-cache) for the Azure Managed Redis instance + +weight: 900 + +config: + strategy: redis + redis: + host: ${instance_address} + username: ${instance_username} + port: 6379 + cloud_authentication: + auth_provider: azure + azure_client_id: ${azure_client_id} + azure_client_secret: ${azure_client_secret} + azure_tenant_id: ${azure_tenant_id} + sync_rate: 0 + llm_providers: + - name: cohere + limit: + - 100 + - 1000 + window_size: + - 60 + - 3600 + request_prompt_count_function: | + local header_count = tonumber(kong.request.get_header("x-prompt-count")) + if header_count then + return header_count + end + return 0 + +variables: + instance_address: + value: $INSTANCE_ADDRESS + description: The Azure Managed Redis instance address. + instance_username: + value: $INSTANCE_USERNAME + description: The object (principal) ID of the Principal/Identity with essential access. + azure_client_id: + value: $AZURE_CLIENT_ID + description: The client ID of the Principal/Identity. + azure_client_secret: + value: $AZURE_CLIENT_SECRET + description: (Optional) The tenant ID of the Principal/Identity. + azure_tenant_id: + value: $AZURE_TENANT_ID + description: (Optional) The tenant ID of the Principal/Identity. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-gcp-cluster.yaml b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-gcp-cluster.yaml new file mode 100644 index 0000000000..10233be667 --- /dev/null +++ b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-gcp-cluster.yaml @@ -0,0 +1,61 @@ +description: Rate limit requests based on a custom token with Google Cloud Memorystore cluster auth +extended_description: | + Protect your LLM services with rate limiting and Google Cloud Memorystore cluster auth. + The AI Rate Limiting Advanced plugin will analyze query costs and token response + to provide an enterprise-grade rate limiting strategy. + + The following example uses request prompt rate limiting, which lets you you rate limit requests based on a custom token. See the [how-to guide](/how-to/use-custom-function-for-ai-rate-limiting/) for a step-by-step walkthrough. + +title: 'Request prompt function with Google Cloud Memorystore cluster auth' + +requirements: + - "[AI Proxy plugin](/plugins/ai-proxy/) or [AI Proxy Advanced plugin](/plugins/ai-proxy-advanced/) configured with an LLM service" + - A running Redis instance on an [Google Cloud Memorystore cluster](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth) + - "Port `6379`, or your custom Redis port is open and reachable from {{site.base_gateway}}." + - | + Assign the principal to the corresponding role: + * [Cloud Memorystore Redis DB Connection User(`roles/redis.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/cluster/about-iam-auth) for Memorystore for Redis Cluster + * [Memorystore DB Connector User (`roles/memorystore.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/valkey/about-iam-auth) for Memorystore for Valkey + +weight: 900 + +config: + strategy: redis + redis: + cluster_nodes: + - ip: ${cluster_address} + port: 6379 + port: 6379 + cloud_authentication: + auth_provider: gcp + gcp_service_account_json: ${service_account} + sync_rate: 0 + llm_providers: + - name: cohere + limit: + - 100 + - 1000 + window_size: + - 60 + - 3600 + request_prompt_count_function: | + local header_count = tonumber(kong.request.get_header("x-prompt-count")) + if header_count then + return header_count + end + return 0 + +variables: + cluster_address: + value: $CLUSTER_ADDRESS + description: The Memorystore cluster address. + service_account: + value: $GCP_SERVICE_ACCOUNT + description: The GCP service account JSON. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform \ No newline at end of file diff --git a/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-gcp-instance.yaml b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-gcp-instance.yaml new file mode 100644 index 0000000000..0bbe0bf9db --- /dev/null +++ b/app/_kong_plugins/ai-rate-limiting-advanced/examples/request-prompt-count-gcp-instance.yaml @@ -0,0 +1,59 @@ +description: Rate limit requests based on a custom token with Google Cloud Memorystore instance auth +extended_description: | + Protect your LLM services with rate limiting and Google Cloud Memorystore instance auth. + The AI Rate Limiting Advanced plugin will analyze query costs and token response + to provide an enterprise-grade rate limiting strategy. + + The following example uses request prompt rate limiting, which lets you you rate limit requests based on a custom token. See the [how-to guide](/how-to/use-custom-function-for-ai-rate-limiting/) for a step-by-step walkthrough. + +title: 'Request prompt function Google Cloud Memorystore instance auth' + +requirements: + - "[AI Proxy plugin](/plugins/ai-proxy/) or [AI Proxy Advanced plugin](/plugins/ai-proxy-advanced/) configured with an LLM service" + - A running Redis instance on an [Google Cloud Memorystore instance](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth) + - "Port `6379`, or your custom Redis port is open and reachable from {{site.base_gateway}}." + - | + Assign the principal to the corresponding role: + * [Cloud Memorystore Redis DB Connection User(`roles/redis.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/cluster/about-iam-auth) for Memorystore for Redis Cluster + * [Memorystore DB Connector User (`roles/memorystore.dbConnectionUser`)](https://docs.cloud.google.com/memorystore/docs/valkey/about-iam-auth) for Memorystore for Valkey + +weight: 900 + +config: + strategy: redis + redis: + host: ${instance_address} + port: 6379 + cloud_authentication: + auth_provider: gcp + gcp_service_account_json: ${service_account} + sync_rate: 0 + llm_providers: + - name: cohere + limit: + - 100 + - 1000 + window_size: + - 60 + - 3600 + request_prompt_count_function: | + local header_count = tonumber(kong.request.get_header("x-prompt-count")) + if header_count then + return header_count + end + return 0 + +variables: + instance_address: + value: $INSTANCE_ADDRESS + description: The Memorystore instance address. + service_account: + value: $GCP_SERVICE_ACCOUNT + description: The GCP service account JSON. + +tools: + - deck + - admin-api + - konnect-api + - kic + - terraform diff --git a/app/_kong_plugins/ai-rate-limiting-advanced/index.md b/app/_kong_plugins/ai-rate-limiting-advanced/index.md index 9d894b08b7..43060b0920 100644 --- a/app/_kong_plugins/ai-rate-limiting-advanced/index.md +++ b/app/_kong_plugins/ai-rate-limiting-advanced/index.md @@ -72,6 +72,8 @@ See [Rate Limiting in {{site.base_gateway}}](/gateway/rate-limiting/) to choose {% include_cached /plugins/rate-limiting/strategies.md name=page.name %} +{% include plugins/redis-cloud-auth.md %} + ## Headers sent to the client When this plugin is enabled, {{site.base_gateway}} sends some additional headers back to the client, diff --git a/app/_kong_plugins/ai-semantic-cache/index.md b/app/_kong_plugins/ai-semantic-cache/index.md index 3532c13575..c13c47fa8c 100644 --- a/app/_kong_plugins/ai-semantic-cache/index.md +++ b/app/_kong_plugins/ai-semantic-cache/index.md @@ -174,3 +174,5 @@ The plugin respects cache control headers to determine if requests and responses {:.info} > As most AI services always send `no-cache` in the response headers, setting `cache_control` to `true` will always result in a cache bypass. Only consider setting `no-cache` if you are using self-hosted services and have control over the response Cache Control headers. + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/ai-semantic-prompt-guard/index.md b/app/_kong_plugins/ai-semantic-prompt-guard/index.md index 8e9f6049f5..6e31a503f6 100644 --- a/app/_kong_plugins/ai-semantic-prompt-guard/index.md +++ b/app/_kong_plugins/ai-semantic-prompt-guard/index.md @@ -92,3 +92,5 @@ The matching behavior is as follows: ## Vector databases {% include_cached /plugins/ai-vector-db.md name=page.name %} + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/ai-semantic-response-guard/index.md b/app/_kong_plugins/ai-semantic-response-guard/index.md index f5e1e1fad2..40c11978d1 100644 --- a/app/_kong_plugins/ai-semantic-response-guard/index.md +++ b/app/_kong_plugins/ai-semantic-response-guard/index.md @@ -87,3 +87,5 @@ To enforce these rules, the plugin: {:.info} > If a response is blocked or if a system error occurs during evaluation, the plugin returns a `400 Bad Request` to the client without exposing that the Semantic Response Guard blocked it. + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/basic-auth/index.md b/app/_kong_plugins/basic-auth/index.md index 210b75c801..9fa6630cf7 100644 --- a/app/_kong_plugins/basic-auth/index.md +++ b/app/_kong_plugins/basic-auth/index.md @@ -113,3 +113,5 @@ Keep the following limitations in mind when you configure brute force protection * There is no way to unlock a user. You can manually delete the counter key from Redis or PostgreSQL. * If the Redis connection fails, the brute force protection will error out. * Each backend has different impacts on performance. In-memory has the best performance, PostgreSQL the poorest, and Redis is better than PostgreSQL. + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/datakit/index.md b/app/_kong_plugins/datakit/index.md index f5e8cfab45..b2817a44e6 100644 --- a/app/_kong_plugins/datakit/index.md +++ b/app/_kong_plugins/datakit/index.md @@ -1942,3 +1942,5 @@ a result of `NODE_SKIPPED`. consumption to aid development and testing. Backwards-incompatible changes to the report format _may_ be included with any new release of {{site.base_gateway}}. + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/graphql-proxy-cache-advanced/index.md b/app/_kong_plugins/graphql-proxy-cache-advanced/index.md index 8316b6d984..3a82d73f99 100644 --- a/app/_kong_plugins/graphql-proxy-cache-advanced/index.md +++ b/app/_kong_plugins/graphql-proxy-cache-advanced/index.md @@ -81,4 +81,6 @@ key = md5(UUID | headers | body) ## Managing cache entities -{% include_cached /plugins/caching/api.md name=page.name slug=page.slug %} \ No newline at end of file +{% include_cached /plugins/caching/api.md name=page.name slug=page.slug %} + +{% include plugins/redis-cloud-auth.md %} \ No newline at end of file diff --git a/app/_kong_plugins/graphql-rate-limiting-advanced/index.md b/app/_kong_plugins/graphql-rate-limiting-advanced/index.md index 11423271f5..f14e3c4f95 100644 --- a/app/_kong_plugins/graphql-rate-limiting-advanced/index.md +++ b/app/_kong_plugins/graphql-rate-limiting-advanced/index.md @@ -396,3 +396,5 @@ You can use the Admin API to: To access these endpoints, [enable the plugin](/plugins/graphql-rate-limiting-advanced/examples/) first. The GraphQL cost management endpoints will appear once the plugin has been enabled. + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/openid-connect/index.md b/app/_kong_plugins/openid-connect/index.md index d7dc2e71fd..1e8ad1edf7 100644 --- a/app/_kong_plugins/openid-connect/index.md +++ b/app/_kong_plugins/openid-connect/index.md @@ -588,6 +588,8 @@ If one of these other applications is causing issues, looking into using the fol * [Port maps](/gateway/configuration/#port-maps) * [`X-Forwarded-*` headers](/gateway/configuration/#trusted-ips) +{% include plugins/redis-cloud-auth.md %} + ## Supported identity providers The plugin has been tested with several OpenID Connect providers: diff --git a/app/_kong_plugins/proxy-cache-advanced/index.md b/app/_kong_plugins/proxy-cache-advanced/index.md index 1eb1ba8d2e..37c8581eea 100644 --- a/app/_kong_plugins/proxy-cache-advanced/index.md +++ b/app/_kong_plugins/proxy-cache-advanced/index.md @@ -94,4 +94,6 @@ This plugin extends the [Proxy Cache plugin](/plugins/proxy-cache/) with Redis, ## Managing cache entities -{% include_cached /plugins/caching/api.md name=page.name slug=page.slug %} \ No newline at end of file +{% include_cached /plugins/caching/api.md name=page.name slug=page.slug %} + +{% include plugins/redis-cloud-auth.md %} \ No newline at end of file diff --git a/app/_kong_plugins/rate-limiting-advanced/index.md b/app/_kong_plugins/rate-limiting-advanced/index.md index c43f077651..4dd55122b0 100644 --- a/app/_kong_plugins/rate-limiting-advanced/index.md +++ b/app/_kong_plugins/rate-limiting-advanced/index.md @@ -164,6 +164,8 @@ Otherwise the field will be regenerated automatically with every update. {% include_cached /plugins/rate-limiting/strategies.md name=page.name %} +{% include plugins/redis-cloud-auth.md %} + ### Fallback from Redis When the `redis` strategy is used and a {{site.base_gateway}} node is disconnected from Redis, the `rate-limiting-advanced` plugin will fall back to `local`. diff --git a/app/_kong_plugins/rate-limiting/index.md b/app/_kong_plugins/rate-limiting/index.md index 18ab59d95e..57331578d1 100644 --- a/app/_kong_plugins/rate-limiting/index.md +++ b/app/_kong_plugins/rate-limiting/index.md @@ -86,3 +86,5 @@ See [Rate Limiting in {{site.base_gateway}}](/gateway/rate-limiting/) to choose ## Headers sent to the client {% include_cached /plugins/rate-limiting/headers.md name=page.name %} + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/request-callout/index.md b/app/_kong_plugins/request-callout/index.md index 60dff290c1..eb108a52d9 100644 --- a/app/_kong_plugins/request-callout/index.md +++ b/app/_kong_plugins/request-callout/index.md @@ -154,3 +154,5 @@ request components: and incoming proxy request headers and query params are not. If callout headers and query params have a `forward` flag set, then incoming request headers and query params are forwarded in the callout requests, causing them to be part of the cache key. + +{% include plugins/redis-cloud-auth.md %} \ No newline at end of file diff --git a/app/_kong_plugins/response-ratelimiting/index.md b/app/_kong_plugins/response-ratelimiting/index.md index 8a9fb58ecd..ff53341393 100644 --- a/app/_kong_plugins/response-ratelimiting/index.md +++ b/app/_kong_plugins/response-ratelimiting/index.md @@ -118,3 +118,5 @@ The headers are in the form of `X-RateLimit-Remaining-LIMIT_NAME`, for example: X-RateLimit-Remaining-Videos: 3 X-RateLimit-Remaining-Images: 0 ``` + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/saml/index.md b/app/_kong_plugins/saml/index.md index 358c2a6119..14db2dffa5 100644 --- a/app/_kong_plugins/saml/index.md +++ b/app/_kong_plugins/saml/index.md @@ -151,3 +151,5 @@ Remove the header and footer before including the certificate in the `idp_certif ``` ``` + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/service-protection/index.md b/app/_kong_plugins/service-protection/index.md index afb0befa86..ce5d68de7d 100644 --- a/app/_kong_plugins/service-protection/index.md +++ b/app/_kong_plugins/service-protection/index.md @@ -59,3 +59,5 @@ Set absolute maximum rate limits for Gateway Services using the Service Protecti You can use this plugin together with other rate limiting plugins to apply granular rate limits based on different entities. If you want to apply global rate limits or apply rate limits to Routes and Consumers, see the [Rate Limiting with {{site.base_gateway}}](/gateway/rate-limiting/) page for additional rate limiting plugins. + +{% include plugins/redis-cloud-auth.md %} diff --git a/app/_kong_plugins/upstream-oauth/index.md b/app/_kong_plugins/upstream-oauth/index.md index 62b2f17032..dc317b62b7 100644 --- a/app/_kong_plugins/upstream-oauth/index.md +++ b/app/_kong_plugins/upstream-oauth/index.md @@ -112,3 +112,5 @@ The plugin supports the following caching [strategies](/plugins/upstream-oauth/r * `memory`: A locally stored `lua_shared_dict`. The default dictionary, `kong_db_cache`, is also used by other plugins and {{site.base_gateway}} elements to store unrelated database cache entities. * `redis`: Supports Redis, Redis Cluster, and Redis Sentinel deployments. + +{% include plugins/redis-cloud-auth.md %}